Wednesday, 2024-02-28

« Tuesday, 2024-02-27 Index Thursday, 2024-02-29 »
*** jph6 is now known as jph00:21
*** mhen_ is now known as mhen02:43
d34dh0r53#startmeeting keystone15:02
opendevmeetMeeting started Wed Feb 28 15:02:16 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
opendevmeetThe meeting name has been set to 'keystone'15:02
d34dh0r53#topic roll call15:02
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema15:02
d34dh0r53o/15:02
gtemao/15:02
dmendiza[m]🙋‍♂️15:03
d34dh0r53#topic review past meeting work items 15:04
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-14-15.02.html15:04
d34dh0r53no updates from me, I was out of town for a week and didn't have much time to do anything15:05
d34dh0r53#action d34dh0r53 Look into adding/restoring a known issues section to our documentation15:05
d34dh0r53#action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation15:05
d34dh0r53next up15:05
d34dh0r53#topic liaison updates15:05
d34dh0r53Caracal feature freeze starts next week15:06
d34dh0r53Friday actually15:06
d34dh0r53and I don't have anything from VMT15:07
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:07
d34dh0r53External OAuth 2.0 Specification15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:08
d34dh0r53OAuth 2.0 Implementation15:08
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:08
d34dh0r53OAuth 2.0 Documentation15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:08
d34dh0r53I haven't seen hiromu around in a while15:09
d34dh0r53we're really close to finishing these specs so hopefully we'll hear back from them15:10
d34dh0r53next up15:10
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:10
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:10
d34dh0r532024.1 Release Timeline15:10
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:10
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:10
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)15:10
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/90371315:10
dmendiza[m]🙋‍♂️15:11
dmendiza[m]I think we've merged everything we needed for Phase 115:11
d34dh0r53sweet!15:11
d34dh0r53so phase 2 in 2024.2?15:12
d34dh0r53next up15:16
d34dh0r53#topic specification Improve federated users management (gtema)15:16
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews15:17
gtemastill waiting for reviews ;-)15:17
d34dh0r53I just added mine, maybe dmendiza[m] or xek can take a look15:17
gtemaawesome, thanks15:17
d34dh0r53np15:17
d34dh0r53#topic open discussion15:18
d34dh0r53passlib15:18
d34dh0r53unmaintained15:18
d34dh0r53bcrypt issues with newer releases15:18
d34dh0r53python3.12 issues15:18
d34dh0r53I moved this to open discussion since it's not a spec15:18
gtemaso I started looking into it15:18
d34dh0r53There is an open issue https://foss.heptapod.net/python-libs/passlib/-/issues/187 regardging the maintenance status of passlib15:18
d34dh0r53I've been looking into it as well15:19
gtemathanks Dave,  I have seen that issue and it sadly is not really very promising15:19
gtemaAnsible stick to passlib means the chances are that someone will at some point take it over15:19
d34dh0r53yeah, I replied to a comment on there and voted but it looks like the maintainer is essentially AWOL15:19
gtemabut when this happens is unknown15:19
gtemaI started playing around with kicking passlib away15:20
d34dh0r53oh cool, any luck?15:20
gtemafor  default bcrypt there is absolutely no issue in using bcrypt directly15:20
gtemafor bcrypt_sha256 (and others) the issue is absolutely different15:20
gtemawhile it is absolutely no problem to calculate hashes using cryptography or hashlib itself15:21
gtemait is a problem to have support for old passwords hashed by passlib15:21
gtemapasslib is using black magic playing with charset, bincode, ...15:21
gtemaI really really dislike how it does all of that, especially that there is no need for that15:22
gtemaso basically we need to think which "compatibility" do we need15:22
gtema(remembering this is the case for non-default hash method)15:22
d34dh0r53yeah, I didn't know it was that bad15:23
gtemawe could make passlib something like a "fallback", that is used when we see that password was hashed with it15:23
gtemaotherwise hash new password without passlib15:23
gtemathen at some point we would be able to drop it15:23
d34dh0r53yeah, that still means modifying requirements15:23
gtemabut that still keeps passlib in our dependencies15:23
gtemano, we do not need to change depencies15:24
gtemabcrypt and cryptography are already there15:24
d34dh0r53I haven't been able to get keystone to deploy without changing the upper requirements to bcrypt==4.0.115:25
d34dh0r53is there a way around that?15:25
gtemaah, you mean that.15:25
gtemadon't know, I just played with what is in deps right now15:25
gtemaI mean venv from few month ago15:26
d34dh0r53let me try something, I may be working with something incorrectly15:27
gtematechnically I can continue looking into passlib and finally revere-engineer all the voodoo they do15:27
gtemathen we would be able to drop it completely15:27
gtemajust after 8h invested I was still not able to get all this uncovered15:27
d34dh0r53if ansible is going to require it, there is no way that it will continue to be unmaintained15:27
gtemaright, but the code is very ugly and still has so much from py215:28
gtemaand on the other side it seems to be also a blocker for py3.1215:28
gtemaI think passlib is something we need to solve asap for the next release (not for the 2024.1)15:29
d34dh0r53right, I think so too15:29
d34dh0r53it's a priority for 2024.215:29
gtemaI'll continue digging in next days15:30
d34dh0r53ok, thanks15:30
gtemawlcm15:30
d34dh0r53anything else for open discussion?15:31
gtemadon't forget to submit your candidacy into elections repo15:31
d34dh0r53thank you!15:32
d34dh0r53#topic bug review15:33
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:33
gtemathanks for going for the next round, I already started worying15:33
d34dh0r53yeah, just been super busy and didn't realize that the date was coming up so quickly15:34
d34dh0r53we have a couple of new bugs for keystone, one looks like a docs bug that may or may not be complete15:34
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/205480015:35
d34dh0r53and the second is an LDAP error that may also be incomplete15:35
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/205329715:35
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:35
d34dh0r53python-keystoneclient is good15:36
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:36
d34dh0r53a docs bug has also been filed in keystoneauth15:36
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bug/205474015:37
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:37
d34dh0r53oops, there is also this bug for keystoneauth which has a fix up already15:38
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/90956115:38
d34dh0r53keystonemiddleware is good15:38
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:39
d34dh0r53pycadf is good15:39
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:39
d34dh0r53as is ldappool15:39
d34dh0r53that does it for bug review15:39
d34dh0r53#topic conclusion15:39
d34dh0r53I'm running again for PTL, and I just wanted to say thanks for all the help this cycle15:40
d34dh0r53It was a good one and I'm looking forward to a successful 2024.2 :)15:41
d34dh0r53#endmeeting15:41
opendevmeetMeeting ended Wed Feb 28 15:41:24 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:41
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-28-15.02.html15:41
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-28-15.02.txt15:41
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-28-15.02.log.html15:41
gtemathanks, cy15:41
d34dh0r53gtema: https://review.opendev.org/c/openstack/requirements/+/910534 FYI16:39
gtemaack, will respect it in my work16:40
d34dh0r53hopefully we can revert that eventually, I'd really like to keep up with the latest bcrypt16:42
gtemathat's for sure16:42
opendevreviewRafael Weingartner proposed openstack/keystone-specs master: Keystone identity mapping to support project definition as a JSON  https://review.opendev.org/c/openstack/keystone-specs/+/74874817:43
« Tuesday, 2024-02-27 Index Thursday, 2024-02-29 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!